New research into the unique phone identifiers on smartphones suggests potential privacy risks in the way some application makers handle the codes.

The identifiers — long strings of numbers and letters associated with the phone — don’t themselves hold any information about users. But the researcher, Aldo Cortesi, found that a mobile-gaming company connected the IDs to users’ locations and Facebook profiles, and then made the combined data available to outsiders.

Chris Ratcliffe/Bloomberg

Mr. Cortesi said the gaming company, OpenFeint, fixed the Facebook and location issues after he contacted the company about a month ago. California-based OpenFeint provides a gaming network that has more than 75 million registered users across more than 5,000 games, according to the company. Mr. Cortesi described his findings in a blog post last week.

OpenFeint did not immediately respond to a request for comment.

The biggest risks from OpenFeint may have been resolved, but the study raises questions about the way app makers and their partners handle the phone identifiers.

The Wall Street Journal found in a study last year that 56 of 101 popular smartphone apps passed one or more unique device IDs to other companies. That included three apps – The Moron Test and Ninjump on Apple Inc.’s iPhone and Fruitninja on Google Inc.’s Android platform – that passed device IDs to OpenFeint. Moron Test and Ninjump also transmitted data about the location of the phone to OpenFeint.

It’s not known if other companies that get these unique identifiers link them to other information and then make the data available to others. Mr. Cortesi, who is a network-security specialist based in New Zealand, concentrated on OpenFeint in this research, but he said he believes it’s likely that there are other databases that tie such IDs to users’ information.

Such practices would allow outsiders to obtain personal information about a user without the user’s consent. In the Journal’s study, the vast majority of the unique identifiers were sent without users’ knowledge or consent.

The unique identifier Mr. Cortesi studied is called a UDID and is found on the iPhone and other Apple devices. The combination of 40 numbers and letters is set by Apple and stays with the device forever.

Apple declined to comment. However, it warns app developers to handle UDIDs carefully. “For user security and privacy, you must not publicly associate a device’s unique identifier with a user account,” the company says in its guide for developers.

Mr. Cortesi did not study Android identifiers in his latest research. In its study, the Journal also saw applications transmit ID numbers on Android phones. That number can be changed if the user does a “factory reset” of the phone, which deletes the phone’s data and settings.

UPDATE:OpenFeint says that upon learning of the vulnerability it immediately stopped transmitting location and disabled the use of Facebook for profile pictures on the service. “We are not aware of any of our user’s information falling into the hands of any third parties as a result of this issue,” CEO Jason Citron said.

The company added: “OpenFeint takes privacy concerns seriously and is constantly monitoring privacy developments in a rapidly evolving industry. We are committed to developing and implementing state of the art privacy policies and to protecting our users’ personal information to the best of our abilities at all times.”